F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products.

Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.

Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 said in an advisory. “There is no data plane exposure; this is a control plane issue only.”

The security vulnerability, which the company said was discovered internally, affects BIG-IP products with the following versions -

• 16.1.0 - 16.1.2
• 15.1.0 - 15.1.5
• 14.1.0 - 14.1.4
• 13.1.0 - 13.1.4
• 12.1.0 - 12.1.6
• 11.6.1 - 11.6.5

Patches for the iControl REST authentication bypass flaw have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable to CVE-2022-1388.

F5 has also offered temporary workarounds until the fixes can be applied -

• Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration

Other notable bugs resolved as part of the update include those that could permit an authenticated attacker to bypass Appliance mode restrictions and execute arbitrary JavaScript code in the context of the currently logged-in user.

With F5 appliances widely deployed in enterprise networks, it’s imperative that organizations move quickly to apply the patches to prevent threat actors from exploiting the attack vector for initial access.

The security fixes come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new flaws to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation -

• CVE-2021-1789 - Apple Multiple Products Type Confusion Vulnerability
• CVE-2019-8506 - Apple Multiple Products Type Confusion Vulnerability
• CVE-2014-4113 - Microsoft Win32k Privilege Escalation Vulnerability
• CVE-2014-0322 - Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2014-0160 - OpenSSL Information Disclosure Vulnerability

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.